MariaDB MariaDB Open source fork of MySQL database

Do you want an email whenever new security vulnerabilities are reported in any MariaDB product?

Products by MariaDB Sorted by Most Security Vulnerabilities since 2018

MariaDB359 vulnerabilities
Open source RDBMS forked from MySQL

MariaDB Connectorc1 vulnerability

MariaDB Maxscale1 vulnerability

By the Year

In 2024 there have been 0 vulnerabilities in MariaDB . Last year MariaDB had 3 security vulnerabilities published. Right now, MariaDB is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 3 6.83
2022 60 6.84
2021 15 5.43
2020 16 5.82
2019 16 5.48
2018 40 5.58

It may take a day or so for new MariaDB vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent MariaDB Security Vulnerabilities

A vulnerability was found in MariaDB

CVE-2023-5157 7.5 - High - September 27, 2023

A vulnerability was found in MariaDB. An OpenVAS port scan on ports 3306 and 4567 allows a malicious remote client to cause a denial of service.

An issue was discovered in MariaDB MaxScale before 23.02.3

CVE-2023-40354 6.5 - Medium - August 14, 2023

An issue was discovered in MariaDB MaxScale before 23.02.3. A user enters an encrypted password on a "maxctrl create service" command line, but this password is then stored in cleartext in the resulting .cnf file under /var/lib/maxscale/maxscale.cnf.d. The fixed versions are 2.5.28, 6.4.9, 22.08.8, and 23.02.3.

Cleartext Storage of Sensitive Information

MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service

CVE-2022-47015 6.5 - Medium - January 20, 2023

MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.

NULL Pointer Dereference

Vulnerability in the MySQL Server product of Oracle MySQL (component: C API)

CVE-2022-21595 4.4 - Medium - October 18, 2022

Vulnerability in the MySQL Server product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which

CVE-2022-38791 5.5 - Medium - August 27, 2022

In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock.

Improper Locking

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault

CVE-2022-32088 7.5 - High - July 01, 2022

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort.

MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault

CVE-2022-32086 7.5 - High - July 01, 2022

MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault via the component Item_field::fix_outer_field.

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault

CVE-2022-32084 7.5 - High - July 01, 2022

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.

MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault

CVE-2022-32089 7.5 - High - July 01, 2022

MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level.

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault

CVE-2022-32085 7.5 - High - July 01, 2022

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.

MariaDB v10.2 to v10.6.1 was discovered to contain a segmentation fault

CVE-2022-32083 7.5 - High - July 01, 2022

MariaDB v10.2 to v10.6.1 was discovered to contain a segmentation fault via the component Item_subselect::init_expr_cache_tracker.

MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.

CVE-2022-32091 7.5 - High - July 01, 2022

MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.

Dangling pointer

MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc.

CVE-2022-32082 7.5 - High - July 01, 2022

MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc.

assertion failure

MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.

CVE-2022-32081 7.5 - High - July 01, 2022

MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.

Dangling pointer

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault

CVE-2022-32087 7.5 - High - July 01, 2022

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args.

MariaDB Server before 10.7 is vulnerable to Denial of Service

CVE-2022-31621 5.5 - Medium - May 25, 2022

MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_xbstream.cc, when an error occurs (stream_ctxt->dest_file == NULL) while executing the method xbstream_open, the held lock is not released correctly, which allows local users to trigger a denial of service due to the deadlock.

Improper Locking

MariaDB Server before 10.7 is vulnerable to Denial of Service

CVE-2022-31623 5.5 - Medium - May 25, 2022

MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when an error occurs (i.e., going to the err label) while executing the method create_worker_threads, the held lock thd->ctrl_mutex is not released correctly, which allows local users to trigger a denial of service due to the deadlock.

Improper Locking

MariaDB Server before 10.7 is vulnerable to Denial of Service

CVE-2022-31622 5.5 - Medium - May 25, 2022

MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when an error occurs (pthread_create returns a nonzero value) while executing the method create_worker_threads, the held lock is not released correctly, which allows local users to trigger a denial of service due to the deadlock.

Improper Locking

MariaDB Server before 10.7 is vulnerable to Denial of Service

CVE-2022-31624 5.5 - Medium - May 25, 2022

MariaDB Server before 10.7 is vulnerable to Denial of Service. While executing the plugin/server_audit/server_audit.c method log_statement_ex, the held lock lock_bigbuffer is not released correctly, which allows local users to trigger a denial of service due to the deadlock.

Improper Locking

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS)

CVE-2022-21427 4.9 - Medium - April 19, 2022

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.7.37 and prior and 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.